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Executive  Summary 


Adequate  security  of  information  and  the  systems  that  process  it  is  a  fundamental 
management  responsibility.  Agency  officials  must  understand  the  current  status  of  their 
information  security  program  and  controls  in  order  to  make  informed  judgments  and 
investments  that  appropriately  mitigate  risks  to  an  acceptable  level. 

Self-assessments  provide  a  method  for  agency  officials  to  determine  the  current  status  of 
their  information  security  programs  and,  where  necessary,  establish  a  target  for  improvement. 
This  self-assessment  guide  utilizes  an  extensive  questionnaire  containing  specific  control 
objectives  and  techniques  against  which  an  unclassified  system  or  group  of  interconnected 
systems  can  be  tested  and  measured.  The  guide  does  not  establish  new  security  requirements. 
The  control  objectives  and  techniques  are  abstracted  directly  from  long-standing 
requirements  found  in  statute,  policy,  and  guidance  on  security. 

This  document  builds  on  the  Federal  IT  Security  Assessment  Framework  (Framework) 
developed  by  NIST  for  the  Federal  Chief  Information  Officer  (CIO)  Council.  The 
Framework  established  the  groundwork  for  standardizing  on  five  levels  of  security  status  and 
criteria  agencies  could  use  to  determine  if  the  five  levels  were  adequately  implemented.  This 
document  provides  guidance  on  applying  the  Framework  by  identifying  17  control  areas, 
such  as  those  pertaining  to  identification  and  authentication  and  contingency  planning.  In 
addition,  the  guide  provides  control  objectives  and  techniques  that  can  be  measured  for  each 
area. 

The  questionnaire  can  be  used  for  the  following  purposes: 

>  Agency  managers  who  know  their  agency's  systems  and  security  controls  can  quickly 
gain  a  general  understanding  of  needed  security  improvements  for  a  system  (major 
application  or  general  support  system),  group  of  interconnected  systems,  or  the  entire 
agency. 

>  The  security  of  an  agency's  system  can  be  thoroughly  evaluated  using  the  questionnaire 
as  a  guide.  The  results  of  such  a  thorough  review  produce  a  reliable  measure  of  security 
effectiveness  and  may  be  used  to  1)  fulfill  reporting  requirements;  2)  prepare  for  audits; 
and  3)  identify  resources. 

>  The  results  of  the  questionnaire  will  assist,  but  not  fulfill,  agency  budget  requests  as 
outlined  in  Office  of  Management  and  Budget  (OMB)  Circular  A-l  1,  "Preparing  and 
Submitting  Budget  Estimates." 

It  is  important  to  note  that  the  questionnaire  is  not  intended  to  be  an  all-inclusive  list  of 
control  objectives  and  related  techniques.  Accordingly,  it  should  be  used  in  conjunction  with 
the  more  detailed  guidance  listed  in  Appendix  B.  In  addition,  details  associated  with  certain 
technical  controls  are  not  specifically  provided  due  to  their  voluminous  and  dynamic  nature. 
Agency  managers  should  obtain  information  on  such  controls  from  other  sources,  such  as 
vendors,  and  use  that  information  to  supplement  this  guide. 


iv 


Consistent  with  OMB  policy,  each  agency  must  implement  and  maintain  a  program  to 
adequately  secure  its  information  and  system  assets.  An  agency  program  must:  1)  assure  that 
systems  and  applications  operate  effectively  and  provide  appropriate  confidentiality, 
integrity,  and  availability;  and  2)  protect  information  commensurate  with  the  level  of  risk  and 
magnitude  of  harm  resulting  from  loss,  misuse,  unauthorized  access,  or  modification. 
Performing  a  self-assessment  and  mitigating  any  of  the  weaknesses  found  in  the  assessment 
is  one  way  to  determine  if  the  system  and  the  information  are  adequately  secured. 


v 


Table  of  Contents 

Acknowledgements  m 

Executive  Summary  iv 

1.  Introduction  1 

1 . 1  Self  -Assessments  1 

1 .2  Federal  IT  Security  Assessment  Framework  2 

1.3  Audience...  .3 

1 .4  Structure  of  this  Document  3 

2.  System  Analysis  4 

2. 1  System  Boundaries  4 

2.2  Sensitivity  Assessment  5 

3.  Questionnaire  Structure  7 

3.1  Questionnaire  Cover  Sheet  7 

3.1.1  Questionnaire  Control  7 

3.1.2  System  Identifica  tion  8 

3.1.3  Purpose  and  Assessor  Informa  tion  8 

3.1.4  Crjticality  of  Informa  tion  9 

3.2  Questions  9 

3.3  Applicability  of  Control  Objectives  11 

4.  Utilizing  the  Completed  Questionnaire  13 

4.1  Questionnaire  Analysis  13 

4.2  Action  Plans  13 

4.3  Agency  IT  Security  Program  Reports  13 

4.3.1  Security  Program  Management.  14 

4.3.2  Management  Controls,  Operational  Controls,  and  Technical  Controls   15 

Appendix  A  -  System  Questionnaire  A-l 

Appendix  B  -  Source  of  Control  Criteria  B-l 

Appenddc  C  -  Federal  Information  Technology  Security  Assessment  Framework  C-l 

Appendix  D  -  References  D-l 


vi 


Security  Self-Assessment 
Guide  For  IT  Systems 


1.  Introduction 

A  self-assessment  conducted  on  a  system  (major  application  or  general  support  system)  or 
multiple  self-assessments  conducted  for  a  group  of  interconnected  systems  (internal  or 
external  to  the  agency)  is  one  method  used  to  measure  information  technology  (IT)  security 
assurance.  IT  security  assurance  is  the  degree  of  confidence  one  has  that  the  managerial, 
technical  and  operational  security  measures  work  as  intended  to  protect  the  system  and  the 
information  it  processes.  Adequate  security  of  these  assets  is  a  fundamental  management 
responsibility.  Consistent  with  Office  of  Management  and  Budget  (OMB)  policy,  each 
agency  must  implement  and  maintain  a  program  to  adequately  secure  its  information  and 
system  assets.  Agency  programs  must:  1)  assure  that  systems  and  applications  operate 
effectively  and  provide  appropriate  confidentiality,  integrity,  and  availability;  and  2)  protect 
information  commensurate  with  the  level  of  risk  and  magnitude  of  harm  resulting  from  loss, 
misuse,  unauthorized  access,  or  modification. 

Agencies  must  plan  for  security,  ensure  that  the  appropriate  officials  are  assigned  security 
responsibility,  and  authorize  system  processing  prior  to  operations  and  periodically 
thereafter.  These  management  responsibilities  presume  that  responsible  agency  officials 
understand  the  risks  and  other  factors  that  could  negatively  impact  their  mission  goals. 
Moreover,  these  officials  must  understand  the  current  status  of  security  programs  and 
controls  in  order  to  make  informed  judgments  and  investments  that  appropriately  mitigate 
risks  to  an  acceptable  level. 

An  important  element  of  ensuring  an  organizations'  IT  security  health  is  performing  routine 
self-assessments  of  the  agency  security  program.  For  a  self-assessment  to  be  effective,  a  risk 
assessment  should  be  conducted  in  conjunction  with  or  prior  to  the  self-assessment.  A  self- 
assessment  does  not  eliminate  the  need  for  a  risk  assessment. 

There  are  many  methods  and  tools  for  agency  officials  to  help  determine  the  current  status  of 
their  security  programs  relative  to  existing  policy.  Ideally  many  of  these  methods  and  tools 
would  be  implemented  on  an  ongoing  basis  to  systematically  identify  programmatic 
weaknesses  and  where  necessary,  establish  targets  for  continuing  improvement.  This 
document  provides  a  method  to  evaluate  the  security  of  unclassified  systems  or  groups  of 
systems;  it  guides  the  reader  in  performing  an  IT  security  self-assessment.  Additionally,  the 
document  provides  guidance  on  utilizing  the  results  of  the  system  self-assessment  to  ascertain 
the  status  of  the  agency-wide  security  program.  The  results  are  obtained  in  a  form  that  can 
readily  be  used  to  determine  which  of  the  five  levels  specified  in  the  Federal  IT  Security 
Assessment  Framework  the  agency  has  achieved  for  each  topic  area  covered  in  the 
questionnaire.  For  example,  the  group  of  systems  under  review  may  have  reached  level  4 
(Tested  and  Evaluated  Procedures  and  Controls)  in  the  topic  area  of  physical  and 
environmental  protection,  but  only  level  3  (Implemented  Procedures  and  Controls)  in  the  area 
of  logical  access  controls. 


1.1  Self -Assessments 

This  self-assessment  guide  utilizes  an  extensive  questionnaire  (Appendix  A)  containing 
specific  control  objectives  and  suggested  techniques  against  which  the  security  of  a  system  or 
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group  of  interconnected  systems  can  be  measured.  The  questionnaire  can  be  based  primarily 
on  an  examination  of  relevant  documentation  and  a  rigorous  examination  and  test  of  the 
controls.  This  guide  does  not  establish  new  security  requirements.  The  control  objectives  are 
abstracted  directly  from  long-standing  requirements  found  in  statute,  policy,  and  guidance  on 
security  and  privacy.  However  the  guide  is  not  intended  to  be  a  comprehensive  list  of  control 
objectives  and  related  techniques.  The  guide  should  be  used  in  conjunction  with  the  more 
detailed  guidance  listed  in  Appendix  B.  In  addition,  specific  technical  controls,  such  as  those 
related  to  individual  technologies  or  vendors,  are  not  specifically  provided  due  to  their 
volume  and  dynamic  nature.  It  should  also  be  noted  that  an  agency  might  have  additional 
laws,  regulations,  or  policies  that  establish  specific  requirements  for  confidentiality,  integrity, 
or  availability.  Each  agency  should  decide  if  additional  security  controls  should  be  added  to 
the  questionnaire  and,  if  so,  customize  the  questionnaire  appropriately. 

The  goal  of  this  document  is  to  provide  a  standardized  approach  to  assessing  a  system.  This 
document  strives  to  blend  the  control  objectives  found  in  the  many  requirement  and  guidance 
documents.  To  assist  the  reader,  a  reference  source  is  listed  after  each  control  objective 
question  listed  in  the  questionnaire.  Specific  attention  was  made  to  the  control  activities 
found  in  the  General  Accounting  Office's  (GAO)  Federal  Information  System  Control  Audit 
Manual  (FISCAM).  FISCAM  is  the  document  GAO  auditors  and  agency  inspector  generals 
use  when  auditing  an  agency.  When  FISCAM  is  referenced  in  the  questionnaire,  the  major 
category  initials  along  with  the  control  activity  number  are  provided,  e.g.,  FISCAM  SP-3.1 . 
The  cross  mapping  of  the  two  documents  will  form  a  road  map  between  the  control 
objectives  and  techniques  the  audit  community  assess  and  the  control  objectives  and 
techniques  IT  security  program  managers  and  program  officials  need  to  assess.  The  mapping 
provides  a  common  point  of  reference  for  individuals  fulfilling  differing  roles  in  the 
assessment  process.  The  mapping  ensures  that  both  parties  are  reviewing  the  same  types  of 
controls. 

The  questionnaire  may  be  used  to  assess  the  status  of  security  controls  for  a  system,  an 
interconnected  group  of  systems,  or  agency-wide.  These  systems  include  information, 
individual  systems  (e.g.,  major  applications,  general  support  systems,  mission  critical 
systems),  or  a  logically  related  grouping  of  systems  that  support  operational  programs  (e.g., 
Air  Traffic  Control,  Medicare,  Student  Aid).  Assessing  all  security  controls  and  all 
interconnected  system  dependencies  provides  a  metric  of  the  IT  security  conditions  of  an 
agency.  By  using  the  procedures  outlined  in  Chapter  4,  the  results  of  the  assessment  can  be 
used  as  input  on  the  status  of  an  agency's  IT  security  program. 

1.2  Federal  IT  Security  Assessment  Framework 

The  Federal  IT  Security  Assessment  Framework  issued  by  the  federal  Chief  Information 
Officer  Council  in  November  2000  provides  a  tool  that  agencies  can  use  to  routinely  evaluate 
the  status  of  their  IT  security  programs.  The  document  established  the  groundwork  for 
standardizing  on  five  levels  of  security  effectiveness  and  measurements  that  agencies  could 
use  to  determine  which  of  the  five  levels  are  met.  By  utilizing  the  Framework  levels,  an 
agency  can  prioritize  agency  efforts  as  well  as  use  the  document  over  time  to  evaluate 
progress.  The  NIST  Self- Assessment  Guide  builds  on  the  Framework  by  providing  questions 
on  specific  areas  of  control,  such  as  those  pertaining  to  access  and  service  continuity,  and  a 
means  of  categorizing  evaluation  results  in  the  same  manner  as  the  Framework.  See 
Appendix  C  for  a  copy  of  the  Framework. 
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1.3  Audience 

The  control  objectives  and  techniques  presented  are  generic  and  can  be  applied  to 
organizations  in  private  and  public  sectors.  This  document  can  be  used  by  all  levels  of 
management  and  by  those  individuals  responsible  for  IT  security  at  the  system  level  and 
organization  level.  Additionally,  internal  and  external  auditors  may  use  the  questionnaire  to 
guide  their  review  of  the  IT  security  of  systems.  To  perform  the  examination  and  testing 
required  to  complete  the  questionnaire,  the  assessor  must  be  familiar  with  and  able  to  apply  a 
core  knowledge  set  of  IT  security  basics  needed  to  protect  information  and  systems.  In  some 
cases,  especially  in  the  area  of  examining  and  testing  technical  controls,  assessors  with 
specialized  technical  expertise  will  be  needed  to  ensure  that  the  questionnaire's  answers  are 
reliable. 


1.4  Structure  of  this  Document 

Chapter  1  introduces  the  document  and  explains  IT  security  assessments  and  the  relationship 
to  other  documents.  Chapter  2  provides  a  method  for  determining  the  system  boundaries  and 
criticality  of  the  data.  Chapter  3  describes  the  questionnaire.  Chapter  4  provides  guidance  on 
using  the  completed  system  questionnaire(s)  as  input  into  obtaining  an  assessment  of  an 
agency-wide  IT  security  program.  Appendix  A  contains  the  questionnaire.  Appendix  B  lists 
the  documents  used  in  compiling  the  assessment  control  objective  questions.  Appendix  C 
contains  a  copy  of  the  Federal  IT  Security  Assessment  Framework.  Appendix  D  lists 
references  used  in  developing  this  document. 
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2.  System  Analysis 

The  questionnaire  is  a  tool  for  completing  an  internal  assessment  of  the  controls  in  place  for  a 
major  application  or  a  general  support  system.  The  security  of  every  system  or  group  of 
interconnected  system(s)  must  be  described  in  a  security  plan.  The  system  may  consist  of  a 
major  application  or  be  part  of  a  general  support  system.  The  definition  of  major  application 
and  general  support  system  are  contained  in  Appendix  C.  Before  the  questionnaire  can  be 
used  effectively,  a  determination  must  be  made  as  to  the  boundaries  of  the  system  and  the 
sensitivity  and  criticality  of  the  information  stored  within,  processed  by,  or  transmitted  by  the 
system(s).  A  completed  general  support  system  or  major  application  security  plan,  which  is 
required  under  OMB  Circular  A- 130,  Appendix  III,  should  describe  the  boundaries  of  the 
system  and  the  criticality  level  of  the  data.  If  a  plan  has  not  been  prepared  for  the  system,  the 
completion  of  this  self-assessment  will  aid  in  developing  the  system  security  plan.  Many  of 
the  control  objectives  addressed  in  the  assessment  are  to  be  described  in  the  system  security 
plan.  The  following  two  sections,  Section  2.1  and  Section  2.2,  contain  excerpts  from  NIST 
Special  Publication  800-18,  Guide  for  Developing  Security  Plans  for  Information  Technology 
Systems,  and  will  assist  the  reader  in  determining  the  physical  and  logical  boundaries  of  the 
system  and  the  criticality  of  the  information. 

2.1  System  Boundaries 

Defining  the  scope  of  the  assessment  requires  an  analysis  of  system  boundaries  and 
organizational  responsibilities.  Networked  systems  make  the  boundaries  much  harder  to 
define.  Many  organizations  have  distributed  client-server  architectures  where  servers  and 
workstations  communicate  through  networks.  Those  same  networks  are  connected  to  the 
Internet.  A  system,  as  defined  in  NIST  Special  Publication  800-18,  Guide  for  Developing 
Security  Plans  for  Information  Technology  Systems,  is  identified  by  defining  boundaries 
around  a  set  of  processes,  communications,  storage,  and  related  resources.  The  elements 
within  these  boundaries  constitute  a  single  system  requiring  a  system  security  plan  and  a 
security  evaluation  whenever  a  major  modification  to  the  system  occurs.  Each  element  of  the 
system  must1: 

•  Be  under  the  same  direct  management  control; 

•  Have  the  same  function  or  mission  objective; 

•  Have  essentially  the  same  operating  characteristics  and  security  needs;  and 

•  Reside  in  the  same  general  operating  environment. 

All  components  of  a  system  need  not  be  physically  connected  (e.g.,  [1]  a  group  of  stand- 
alone personal  computers  (PCs)  in  an  office;  [2]  a  group  of  PCs  placed  in  employees'  homes 
under  defined  telecommuting  program  rules;  [3]  a  group  of  portable  PCs  provided  to 
employees  who  require  mobile  computing  capability  to  perform  their  jobs;  and  [4]  a  system 


OMB  Circular  A-130,  Appendix  III  defines  general  support  system  or  "system"  in  similar  terms . 


4 


Security  Self-Assessment 
Guide  For  IT  Systems 


with  multiple  identical  configurations  that  are  installed  in  locations  with  the  same 
environmental  and  physical  controls). 

An  important  element  of  the  assessment  will  be  determining  the  effectiveness  of  the 
boundary  controls  when  the  system  is  part  of  a  network.  The  boundary  controls  must  protect 
the  defined  system  or  group  of  systems  from  unauthorized  intrusions.  If  such  boundary 
controls  are  not  effective,  then  the  security  of  the  systems  under  review  will  depend  on  the 
security  of  the  other  systems  connected  to  it.  In  the  absence  of  effective  boundary  controls, 
the  assessor  should  determine  and  document  the  adequacy  of  controls  related  to  each  system 
that  is  connected  to  the  system  under  review. 

2.2  Sensitivity  Assessment 

Effective  use  of  the  questionnaire  presumes  a  comprehensive  understanding  of  the  value  of 
the  systems  and  information  being  assessed.  Value  can  be  expressed  in  terms  of  the  degree  of 
sensitivity  or  criticality  of  the  systems  and  information  relative  to  each  of  the  five  protection 
categories  in  section  3534(a)(1)(A)  of  the  Government  Information  Security  Reform 
provisions  of  the  National  Defense  Authorization  Act  of  2000,  i.e.,  integrity,  confidentiality, 
availability,  authenticity,  and  non-repudiation.  The  addition  of  authenticity  and  non- 
repudiation  as  protection  categories  within  the  Reform  Act  was  to  stress  the  need  for  these 
assurances  as  the  government  progresses  towards  a  paperless  workplace.  There  are  differing 
opinions  on  what  constitutes  protection  categories,  for  continuity  within  several  NIST  Special 
Publication  800  documents;  authenticity,  non-repudiation,  and  accountability  are  associated 
with  the  integrity  of  the  information. 

•  Confidentiality  -  The  information  requires  protection  from  unauthorized  disclosure. 

•  Integrity  -  The  information  must  be  protected  from  unauthorized,  unanticipated,  or 
unintentional  modification.  This  includes,  but  is  not  limited  to: 

•  Authenticity  -  A  third  party  must  be  able  to  verify  that  the  content  of  a  message 
has  not  been  changed  in  transit. 

•  Non-repudiation  -  The  origin  or  the  receipt  of  a  specific  message  must  be 
verifiable  by  a  third  party. 

•  Accountability  -  A  security  goal  that  generates  the  requirement  for  actions  of  an 
entity  to  be  traced  uniquely  to  that  entity. 

•  Availability  -  The  information  technology  resource  (system  or  data)  must  be  available  on 
a  timely  basis  to  meet  mission  requirements  or  to  avoid  substantial  losses.  Availability 
also  includes  ensuring  that  resources  are  used  only  for  intended  purposes. 

When  determining  the  value,  consider  any  laws,  regulations,  or  policies  that  establish  specific 
requirements  for  integrity,  confidentiality,  authenticity,  availability,  and  non-repudiation  of 
data  and  information  in  the  system.  Examples  might  include  Presidential  Decision  Directive 
63,  the  Privacy  Act,  or  a  specific  statute  or  regulation  concerning  the  information  processed 
(e.g.,  tax  or  census  information). 
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Consider  the  information  processed  by  the  system  and  the  need  for  protective  measures. 
Relate  the  information  processed  to  each  of  the  three  basic  protection  requirements  above 
(confidentiality,  integrity,  and  availability).  In  addition,  it  is  helpful  to  categorize  the 
system  or  group  of  systems  by  sensitivity  level.  Three  examples  of  such  categories  for 
sensitive  unclassified  information  are  described  below: 

•  High  —  Extremely  grave  injury  accrues  to  U.S.  interests  if  the  information  is 
compromised;  could  cause  loss  of  life,  imprisonment,  major  financial  loss,  or  require 
legal  action  for  correction 

•  Medium — Serious  injury  accrues  to  U.S.  interests  if  the  information  is  compromised; 
could  cause  significant  financial  loss  or  require  legal  action  for  correction 

•  Low  — Injury  accrues  to  U.S.  interests  if  the  information  is  compromised;  would  cause 
only  minor  financial  loss  or  require  only  administrative  action  for  correction 

For  example,  a  system  and  its  information  may  require  a  high  degree  of  integrity  and 
availability,  yet  have  no  need  for  confidentiality. 

Many  agencies  have  developed  their  own  methods  of  making  these  determinations. 
Regardless  of  the  method  used,  the  system  owner/program  official  is  responsible  for 
determining  the  sensitivity  of  the  system  and  information.  The  sensitivity  should  be 
considered  as  each  control  objective  question  in  the  questionnaire  is  answered.  When  a 
determination  is  made  to  either  provide  more  rigid  controls  than  are  addressed  by  the 
questionnaire  or  not  to  implement  the  control  either  temporarily  or  permanently,  there  is  a 
risk  based  decision  field  in  the  questionnaire  that  can  be  checked  to  indicate  that  a 
determination  was  made.  The  determination  for  lesser  or  more  stringent  protection  should  be 
made  due  to  either  the  sensitivity  of  the  data  and  operations  affected  or  because  there  are 
compensating  controls  that  lessen  the  need  for  this  particular  control  technique.  It  should  be 
noted  in  the  comments  section  of  the  questionnaire  that  the  system  security  plan  contains 
supporting  documentation  as  to  why  the  specific  control  has  or  has  not  been  implemented. 
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3.  Questionnaire  Structure 

The  self-assessment  questionnaire  contains  three  sections:  cover  sheet,  questions,  and  notes. 
The  questionnaire  begins  with  a  cover  sheet  requiring  descriptive  information  about  the 
major  application,  general  support  system,  or  group  of  interconnected  systems  being 
assessed.  The  questionnaire  provides  a  hierarchical  approach  to  assessing  a  system  by 
containing  critical  elements  and  subordinate  questions.  The  critical  element  level  should  be 
determined  based  on  the  answers  to  the  subordinate  questions.  The  critical  elements  are 
derived  primarily  from  OMB  Circular  A- 130.  The  subordinate  questions  address  the  control 
objectives  and  techniques  that  can  be  implemented  to  meet  the  critical  elements.  Assessors 
will  need  to  carefully  review  the  levels  of  subordinate  control  objectives  and  techniques  in 
order  to  determine  what  level  has  been  reached  for  the  related  critical  element.  The  control 
objectives  were  obtained  from  the  list  of  source  documents  located  in  Appendix  B.  There  is 
flexibility  in  implementing  the  control  objectives  and  techniques.  It  is  feasible  that  not  all 
control  objectives  and  techniques  may  be  needed  to  achieve  the  critical  element. 

The  questionnaire  section  may  be  customized  by  the  organization.  An  organization  can  add 
questions,  require  more  descriptive  information,  and  even  pre-mark  certain  questions  if 
applicable.  For  example,  many  agencies  may  have  personnel  security  procedures  that  apply 
to  all  systems  within  the  agency.  The  level  1  and  level  2  columns  in  the  questionnaire  can  be 
pre-marked  to  reflect  the  standard  personnel  procedures  in  place.  Additional  columns  may  be 
added  to  reflect  the  status  of  the  control,  i.e.,  planned  action  date,  non-applicable,  or  location 
of  documentation.  The  questionnaire  should  not  have  questions  removed  or  questions 
modified  to  reduce  the  effectiveness  of  the  control. 

After  each  question,  there  is  a  comment  field  and  an  initial  field.  The  comment  field  can  be 
used  to  note  the  reference  to  supporting  documentation  that  is  attached  to  the  questionnaire  or 
is  obtainable  for  that  question.  The  initial  field  can  be  used  when  a  risk  based  decision  is 
made  concerning  not  to  implement  a  control  or  if  the  control  is  not  applicable  for  the  system. 
At  the  end  of  each  set  of  questions,  there  is  an  area  provided  for  notes.  This  area  may  be  used 
for  denoting  where  in  a  system  security  plan  specific  sections  should  be  modified.  It  can  be 
used  to  document  the  justification  as  to  why  a  control  objective  is  not  being  implemented 
fully  or  why  it  is  overly  rigorous.  The  note  section  may  be  a  good  place  to  mark  where 
follow-up  is  needed  or  additional  testing,  such  as  penetration  testing  or  product  evaluations, 
needs  to  be  initiated.  Additionally,  the  section  may  reference  supporting  documentation  on 
how  the  control  objectives  and  techniques  were  tested  and  a  summary  of  findings. 

3.1  Questionnaire  Cover  Sheet 

This  section  provides  instruction  on  completing  the  questionnaire  cover  sheet,  standardizing 
on  how  the  completed  evaluation  should  be  marked,  how  systems  are  titled,  and  labeling  the 
criticality  of  the  system. 

3.1.1  Questionnaire  Control 

All  completed  questionnaires  should  be  marked,  handled,  and  controlled  at  the  level  of 
sensitivity  determined  by  organizational  policy.  It  should  be  noted  that  the  information 


7 


Security  Self-Assessment 
Guide  For  IT  Systems 


contained  in  a  completed  questionnaire  could  easily  depict  where  the  system  or  group  of 
systems  is  most  vulnerable. 

3.1.2  System  Identification 

The  cover  page  of  the  questionnaire  begins  with  the  name  and  title  of  the  system  to  be 
evaluated.  As  explained  in  NIST  Special  Publication  800-18,  each  major  application  or 
general  support  system  should  be  assigned  a  unique  name/identifier. 

Assigning  a  unique  identifier  to  each  system  helps  to  ensure  that  appropriate  security 
requirements  are  met  based  on  the  unique  requirements  for  the  system,  and  that  allocated 
resources  are  appropriately  applied.  Further,  the  use  of  unique  system  identifiers  is  integral 
to  the  IT  system  investment  models  and  analyses  established  under  the  requirements  of  the 
Information  Technology  Management  Reform  Act  of  1996  (also  known  as  the  Clinger-Cohen 
Act).  The  identifiers  are  required  by  OMB  Circular  A-l  1  and  used  in  the  annual  OMB  budget 
submissions  of  the  Exhibit  53  and  300.  In  light  of  OMB  policies  concerning  capital  planning 
and  investment  control,  the  unique  name/identifier  should  remain  the  same  throughout  the 
life  of  the  system  to  allow  the  organization  to  track  completion  of  security  requirements  over 
time.  Please  see  OMB  Circular  A-l  1,  Section  53.7  for  additional  information  on  assigning 
unique  identifiers.  If  no  unique  name/identifier  has  been  assigned  or  is  not  known,  contact  the 
information  resource  management  office  for  assistance. 

In  many  cases  the  major  application  or  general  support  system  will  contain  interconnected 
systems.  The  connected  systems  should  be  listed  and  once  the  assessment  is  complete,  a 
determination  should  be  made  and  noted  on  the  cover  sheet  as  to  whether  the  boundary 
controls  are  effective.  The  boundary  controls  should  be  part  of  the  assessment.  If  the 
boundary  controls  are  not  adequate,  the  connected  systems  should  be  assessed  as  well. 

The  line  below  the  System  Name  and  Title  requires  the  assessor  to  mark  the  system  category 
(General  Support  or  Major  Application).  If  an  agency  has  additional  system  types  or  system 
categories,  i.e.,  mission  critical  or  non-mission  critical,  the  cover  sheet  should  be  customized 
to  include  them. 

3.1.3  Purpose  and  Assessor  Information 

The  purpose  and  objectives  of  the  assessment  should  be  identified.  For  example,  the 
assessment  is  intended  to  gain  a  high-level  indication  of  system  security  in  preparation  for  a 
more  detailed  review  or  the  assessment  is  intended  to  be  a  thorough  and  reliable  evaluation 
for  purposes  of  developing  an  action  plan.  The  name,  title,  and  organization  of  the 
individuals  who  perform  the  assessment  should  be  listed.  The  organization  should  customize 
the  cover  page  accordingly. 

The  start  date  and  completion  date  of  the  evaluation  should  be  listed.  The  length  of  time 
required  to  complete  an  evaluation  will  vary.  The  time  and  resources  needed  to  complete  the 
assessment  will  vary  depending  on  the  size  and  complexity  of  the  system,  accessibility  of 
system  and  user  data,  and  how  much  information  is  readily  available  for  the  assessors  to 
evaluate.  For  example,  if  a  system  has  undergone  extensive  testing,  certification,  and 
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documentation,  the  self-assessment  is  easy  to  use  and  serves  as  a  baseline  for  future 
evaluations.  If  the  system  has  undergone  very  limited  amounts  of  testing  and  has  poor 
documentation,  completing  the  questionnaire  will  require  more  time. 

3.1.4  Criticality  of  Information 

The  level  of  sensitivity  of  information  as  determined  by  the  program  official  or  system  owner 
should  be  documented  using  the  table  on  the  questionnaire  cover  sheet.  If  an  organization 
has  designed  their  own  method  of  determining  system  criticality  or  sensitivity,  the  table 
should  be  replaced  with  the  organization's  criticality  or  sensitivity  categories.  The  premise 
behind  formulating  the  level  of  sensitivity  is  that  systems  supporting  higher  risk  operations 
would  be  expected  to  have  more  stringent  controls  than  those  that  support  lower  risk 
operations. 

3.2  Questions 

The  questions  are  separated  into  three  major  control  areas:  1)  management  controls,  2) 
operational  controls,  and  3)  technical  controls.  The  division  of  control  areas  in  this  manner 
complements  three  other  NIST  Special  Publications:  NIST  Special  Publication  800-12,  An 
Introduction  to  Computer  Security:  The  NIST  Handbook  (Handbook),  NIST  Special 
Publication  800-14,  Generally  Accepted  Principles  and  Practices  for  Securing  Information 
Technology  Systems  (Principles  and  Practices),  and  NIST  Special  Publication  800-18,  Guide 
for  Developing  Security  Plans  for  Information  Technology  Systems  (Planning  Guide).  All 
three  documents  should  be  referenced  for  further  information.  The  Handbook  should  be  used 
to  obtain  additional  detail  for  any  of  the  questions  (control  objectives)  listed  in  the 
questionnaire.  The  Principles  and  Practices  document  should  be  used  as  a  reference  to 
describe  the  security  controls.  The  Planning  Guide  formed  the  basis  for  the  questions  listed  in 
the  questionnaire.  The  documents  can  be  obtained  from  the  NIST  Computer  Security 
Resource  Center  web  site  at  the  URL:  http://csrc.nist.gov. 

The  questions  portion  of  this  document  easily  maps  to  the  three  NIST  documents  described 
above  since  the  chapters  in  all  three  documents  are  organized  by  the  same  control  areas,  i.e., 
management,  operational,  and  technical. 

Within  each  of  the  three  control  areas,  there  are  a  number  of  topics;  for  example,  personnel 
security,  contingency  planning,  and  incident  response  are  topics  found  under  the  operational 
control  area.  There  are  a  total  of  17  topics  contained  in  the  questionnaire;  each  topic  contains 
critical  elements  and  supporting  security  control  objectives  and  techniques  (questions)  about 
the  system.  The  critical  elements  are  derived  primarily  from  OMB  Circular  A- 130  and  are 
integral  to  an  effective  IT  security  program.  The  control  objectives  and  techniques  support 
the  critical  elements.  If  a  number  of  the  control  objectives  and  techniques  are  not 
implemented,  the  critical  elements  have  not  been  met. 

Each  control  objective  and  technique  may  or  may  not  be  implemented  depending  on  the 
system  and  the  risk  associated  with  the  system.  Under  each  control  objective  and  technique 
question,  one  or  more  of  the  source  documents  is  referenced.  The  reference  points  to  the 
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specific  control  activity  in  the  GAO  FISCAM  document  or  to  the  title  of  any  of  the  other 
documents  listed  in  Appendix  B,  Source  of  Control  Criteria. 


\ /I q n cxrif* yy\ n t  i  Antrf\lc 
IVlallatiCIUCIU  ^UllLIUl3 

1 .    KiSK  Management 

9.    Contingency  Planning 

z.    Keview  01  occuniy  v_omrois 

10.  Hardware  and  Systems  Software 

j.    L.ue  i_ycie 

Maintenance 

4.    Authorize  Processing  (Certification 

1 1 .  Data  Integrity 

and  Accreditation) 

12.  Documentation 

5.    System  Security  Plan 

13.  Security  Awareness,  Training,  and  Education 

14.  Incident  Response  Capability 

Operational  Controls 

6.    Personnel  Security 

Technical  Controls 

7.    Physical  Security 

15.  Identification  and  Authentication 

8.    Production,  Input/Output  Controls 

16.  Logical  Access  Controls 

17.  Audit  Trails 

Figure  1 .  Topic  Areas 


In  order  to  measure  the  progress  of  effectively  implementing  the  needed  security  control,  five 
levels  of  effectiveness  are  provided  for  each  answer  to  the  security  control  question: 

•  Level  1  -  control  objective  documented  in  a  security  policy 

•  Level  2  -  security  controls  documented  as  procedures 

•  Level  3  -  procedures  have  been  implemented 

•  Level  4  -  procedures  and  security  controls  are  tested  and  reviewed 

•  Level  5  -  procedures  and  security  controls  are  fully  integrated  into  a  comprehensive 
program. 

The  method  for  answering  the  questions  can  be  based  primarily  on  an  examination  of 
relevant  documentation  and  a  rigorous  examination  and  test  of  the  controls.  The  review,  for 
example,  should  consist  of  testing  the  access  control  methods  in  place  by  performing  a 
penetration  test;  examining  system  documentation  such  as  software  change  requests  forms, 
test  plans,  and  approvals;  and  examining  security  logs  and  audit  trails.  Supporting 
documentation  describing  what  has  been  tested  and  the  results  of  the  tests  add  value  to  the 
assessment  and  will  make  the  next  review  of  the  system  easier. 

Once  the  checklist,  including  all  references,  is  completed  for  the  first  time,  future 
assessments  of  the  system  will  require  considerably  less  effort.  The  completed  questionnaire 
would  establish  a  baseline.  If  this  year's  assessment  indicates  that  most  of  the  controls  in 
place  are  at  level  2  or  level  3,  then  that  would  be  the  starting  point  for  the  next  evaluation. 
More  time  can  be  spent  identifying  ways  to  increase  the  level  of  effectiveness  instead  of 
having  to  gather  all  the  initial  information  again.  Use  the  comment  section  to  list  whether 
there  is  supporting  documentation  and  the  notes  section  for  any  lengthy  explanations. 

The  audit  techniques  to  test  the  implementation  or  effectiveness  of  each  control  objective  and 
technique  are  beyond  the  scope  of  this  document.  The  GAO  FISCAM  document  provides 
audit  techniques  that  can  be  used  to  test  the  control  objectives. 
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When  answering  the  questions  about  whether  a  specific  control  objective  has  been  met, 
consider  the  sensitivity  of  the  system.  The  questionnaire  contains  a  field  that  can  be  checked 
when  a  risk-based  decision  has  been  made  to  either  reduce  or  enhance  a  security  control. 
There  may  be  certain  situations  where  management  will  grant  a  waiver  either  because 
compensating  controls  exists  or  because  the  benefits  of  operating  without  the  control  (at  least 
temporarily)  outweigh  the  risk  of  waiting  for  full  control  implementation.  Alternatively, 
there  may  be  times  when  management  implements  more  stringent  controls  than  generally 
applied  elsewhere.  When  the  risk-based  decision  field  is  checked,  note  the  reason  in  the 
comment  field  of  the  questionnaire  and  have  management  review  and  initial  the  decision. 
Additionally,  the  system  security  plan  for  the  system  should  contain  supporting 
documentation  as  to  why  the  control  has  or  has  not  been  implemented. 

The  assessor  must  read  each  control  objective  and  technique  question  and  determine  in 
partnership  with  the  system  owner  and  those  responsible  for  administering  the  system, 
whether  the  system's  sensitivity  level  warrants  the  implementation  of  the  control  stated  in  the 
question.  If  the  control  is  applicable,  check  whether  there  are  documented  policies  (level  1), 
procedures  for  implementing  the  control  (level  2),  the  control  has  been  implemented  (level 
3),  the  control  has  been  tested  and  if  found  ineffective,  remedied  (level  4),  and  whether  the 
control  is  part  of  an  agency's  organizational  culture  (level  5).  The  shaded  fields  in  the 
questionnaire  do  not  require  a  check  mark.  The  five  levels  describing  the  state  of  the  control 
objective  provide  a  picture  of  each  operational  control;  however,  how  well  each  one  of  these 
controls  is  met  is  subjective.  Criteria  have  been  established  for  each  of  the  five  levels  that 
should  be  applied  when  determining  whether  the  control  objective  has  fully  reached  one  or 
more  of  the  five  levels.  The  criteria  are  contained  in  Appendix  C,  Federal  IT  Security 
Assessment  Framework. 

Based  on  the  responses  to  the  control  objectives  and  techniques  and  in  partnership  with  the 
system  owner  and  those  responsible  for  system  administration,  the  assessor  should  conclude 
the  level  of  the  related  critical  element.  The  conclusion  should  consider  the  relative 
importance  of  each  subordinate  objective/technique  to  achieving  the  critical  element  and  the 
rigor  with  which  the  technique  is  implemented,  enforced,  and  tested. 

3.3  Applicability  of  Control  Objectives 

As  stated  above,  the  critical  elements  are  required  to  be  implemented;  the  control  objectives 
and  techniques,  however,  tend  to  be  more  detailed  and  leave  room  for  reasonable  subjective 
decisions.  If  the  control  does  not  reasonably  apply  to  the  system,  then  a  "non-applicable"  or 
"N/A"  can  be  entered  next  to  the  question. 

The  control  objectives  and  techniques  in  the  questionnaire  are  geared  for  a  system  or  group 
of  connected  systems.  It  is  possible  to  use  the  questionnaire  for  a  program  review  at  an 
organizational  level  for  ascertaining  if  the  organization  has  policy  and  procedures  in  place 
(level  1  or  level  2).  However,  to  ensure  all  systems  have  implemented,  tested  and  fully 
integrated  the  controls  (level  3,  level  4,  and  level  5),  the  assessment  questionnaire  must  be 
applied  to  each  individual  or  interconnected  group  of  systems.  Chapter  4  describes  how  the 
results  of  the  assessment  can  be  used  as  input  into  an  IT  security  program  review. 
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The  policy  and  procedures  for  a  control  objective  and  technique  can  be  found  at  the 
Department  level,  agency  level,  agency  component  level,  or  application  level.  To  effectively 
assess  a  system,  ensure  that  the  control  objectives  being  assessed  are  at  the  applicable  level. 
For  example,  if  the  system  being  reviewed  has  stringent  authentication  procedures,  the 
authentication  procedures  for  the  system  should  be  assessed,  instead  of  the  agency-wide 
minimum  authentication  procedures  found  in  the  agency  IT  security  manual. 

If  a  topic  area  is  documented  at  a  high  level  in  policy,  the  level  1  box  should  be  checked  in 
the  questionnaire.  If  there  are  additional  low  level  policies  for  the  system,  describe  the 
policies  in  the  comment  section  of  the  questionnaire.  If  a  specific  control  is  described  in 
detail  in  procedures,  and  implemented,  the  level  2  and  level  3  boxes  should  be  checked  in  the 
questionnaire.  Testing  and  reviewing  controls  are  an  essential  part  of  securing  a  system.  For 
each  specific  control,  check  whether  it  has  been  tested  and/or  reviewed  when  a  significant 
change  occurred.  The  goal  is  to  have  all  levels  checked  for  each  control.  A  conceptual  sample 
of  completing  the  questionnaire  is  contained  in  Appendix  C.  The  conceptual  sample  has 
evolved  into  the  questionnaire  and  differs  slightly,  i.e.,  there  is  now  a  comment  and  initial 
field. 
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4.  Utilizing  the  Completed  Questionnaire 

The  questionnaire  can  be  used  for  two  purposes.  First  it  can  be  used  by  agency  managers  who 
know  their  agency's  systems  and  security  controls  to  quickly  gain  a  general  understanding  of 
where  security  for  a  system,  group  of  systems,  or  the  entire  agency  needs  improvement. 
Second,  it  can  be  used  as  a  guide  for  thoroughly  evaluating  the  status  of  security  for  a  system. 
The  results  of  such  thorough  reviews  provide  a  much  more  reliable  measure  of  security 
effectiveness  and  may  be  used  to  1)  fulfill  reporting  requirements;  2)  prepare  for  audits;  and 
3)  identify  resource  needs. 

4.1  Questionnaire  Analysis 

Because  this  is  a  self-assessment,  ideally  the  individuals  assessing  the  system  are  the  owners 
of  the  system  or  responsible  for  operating  or  administering  the  system.  The  same  individuals 
who  completed  the  assessment  can  conduct  the  analysis  of  the  completed  questionnaire.  By 
being  familiar  with  the  system,  the  supporting  documentation,  and  the  results  of  the 
assessment,  the  next  step  that  the  assessor  takes  is  an  analysis,  which  summarizes  the 
findings.  A  centralized  group,  such  as  an  agency's  Information  System  Security  Program 
Office,  can  also  conduct  the  analysis  as  long  as  the  supporting  documentation  is  sufficient. 
The  results  of  the  analysis  should  be  placed  in  an  action  plan,  and  the  system  security  plan 
should  be  created  or  updated  to  reflect  each  control  objective  and  technique  decision. 

4.2  Action  Plans 

How  the  critical  element  is  to  be  implemented,  i.e.,  specific  procedures  written,  equipment 
installed  and  tested,  and  personnel  trained,  should  be  documented  in  an  action  plan.  The 
action  plan  must  contain  projected  dates,  an  allocation  of  resources,  and  follow-up  reviews  to 
ensure  that  remedial  actions  have  been  effective.  Routine  reports  should  be  submitted  to 
senior  management  on  weaknesses  identified,  the  status  of  the  action  plans,  and  the  resources 
needed. 

4.3  Agency  IT  Security  Program  Reports 

Over  the  years,  agencies  have  been  asked  to  report  on  the  status  of  their  IT  security  program. 
The  reporting  requests  vary  in  how  much  detail  is  required  and  in  the  type  of  information  that 
should  be  reported.  The  completed  self-assessment  questionnaires  are  a  useful  resource  for 
compiling  agency  reports.  Below  are  sample  topics  that  should  be  considered  in  an  agency- 
wide  security  program  report: 

•  Security  Program  Management 

•  Management  Controls 

•  Operational  Controls 

•  Technical  Controls 
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•  Planned  Activities 

4.3.1  Security  Program  Management 

An  agency's  IT  security  program  report  needs  to  address  programmatic  issues  such  as: 

•  an  established  agency-wide  security  management  structure, 

•  a  documented  up-to-date  IT  security  program  plan  or  policy  (The  assessment  results  for 
level  1  provides  input.) 

>  an  agency-developed  risk  management  and  mitigation  plan, 

>  an  agency-wide  incident  response  capability, 

y  an  established  certification  and  accreditation  policy, 

y  an  agency-wide  anti-virus  infrastructure  in  place  and  operational  at  all  agency 
facilities, 

>  information  security  training  and  awareness  programs  established  and  available  to 
all  agency  employees, 

>  roles  and  relationships  clearly  defined  and  established  between  the  agency  and 
bureau  levels  of  information  security  program  management, 

•  an  understanding  of  the  importance  of  protecting  mission  critical  information  assets, 

•  the  integration  of  security  into  the  capital  planning  process, 

•  methods  used  to  ensure  that  security  is  an  integral  part  of  the  enterprise  architecture  (The 
assessment  results  for  the  Life  Cycle  topic  area  provides  input), 

•  the  total  security  cost  from  this  year's  budget  request  and  a  breakdown  of  security  costs 
by  each  major  operating  division,  and 

•  descriptions  of  agency-wide  guidance  issued  in  the  past  year. 
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4.3.2  Management  Controls,  Operational  Controls,  and  Technical  Controls 

The  results  of  the  completed  questionnaires'  17  control  topic  areas  can  be  used  to  summarize 
an  agency's  implementation  of  the  management,  operational,  and  technical  controls.  For  the 
report  to  project  an  accurate  picture,  the  results  must  be  summarized  by  system  type,  not 
totaled  into  an  overall  agency  grade  level.  For  example,  ten  systems  were  assessed  using  the 
questionnaire.  Five  of  the  ten  systems  assessed  were  major  applications;  the  other  five  were 
general  support  systems.  The  summary  would  separate  the  systems  into  general  support 
systems  and  major  applications. 

By  further  separating  them  into  groups  according  to  criticality,  the  report  stresses  which 
systems  and  which  control  objectives  require  more  attention  based  on  sensitivity  and 
criticality.  Not  all  systems  require  the  same  level  of  protection;  the  report  should  reflect  that 
diversity.  The  use  of  percentages  for  describing  compliance  (i.e.,  50  percent  of  the  major 
applications  and  25  percent  of  general  support  systems  that  are  high  in  criticality  have 
complete  and  current  system  security  plans  within  the  past  three  years)  can  be  used  as  long  as 
there  is  a  distinct  division  provided  between  the  types  of  systems  being  reported. 

Additionally  all  or  a  sampling  of  the  completed  questionnaires  can  be  analyzed  to  determine 
which  controls  if  implemented  would  impact  the  most  systems.  For  example,  if  viruses 
frequently  plague  systems,  a  stricter  firewall  policy  that  prevents  attached  files  in  E-mail  may 
be  a  solution.  Also,  systemic  problems  should  be  culled  out.  If  an  agency  sees  an  influx  of 
poor  password  management  controls  in  the  questionnaire  results,  then  possibly  password 
checkers  should  be  used,  awareness  material  issued,  and  password-  aging  software  installed. 

The  report  should  conclude  with  a  summary  of  planned  IT  security  initiatives.  The  summary 
should  include  goals,  actions  needed  to  meet  the  goals,  projected  resources,  and  anticipated 
dates  of  completion. 
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Appendix  B  -  Source  of  Control  Criteria 


Office  of  Management  and  Budget  Circular  A- 130. 
"Management  of  Federal  Information  Resources", 
Section  8B3  and  Appendix  III,  "Security  of  Federal 
Automated  Information  Resources." 

Establishes  a  minimum  set  of  controls  to  be  included  in  Federal  IT 
security  programs. 

Computer  Security  Act  of  1987. 

This  statute  set  the  stage  for  protecting  systems  by  codifying  the 
requirement  for  Government-wide  IT  security  planning  and  training. 

Paperwork  Reduction  Act  of  1995. 

The  PRA  established  a  comprehensive  information  resources 
management  framework  including  security  and  subsumed  the 
security  responsibilities  of  the  Computer  Security  Act  of  1987. 

Clinaer-Cohen  Act  of  1996. 

This  Act  linked  security  to  agency  capital  planning  and  budget 
processes,  established  agency  Chief  Information  Officers,  and  re- 
codified the  Computer  Security  Act  of  1987. 

Presidential  Decision  Directive  63,  "Protecting 
America's  Critical  Infrastructures." 

This  directive  specifies  agency  responsibilities  for  protecting  the 
nation's  infrastructure,  assessing  vulnerabilities  of  public  and  private 
sectors,  and  eliminating  vulnerabilities. 

OMB  Memorandum  99-18,  "Privacy  Policies  on 
Federal  Web  Sites." 

This  memorandum  directs  Departments  and  Agencies  to  post  clear 
privacy  policies  on  World  Wide  Web  sites,  and  provides  guidance 
for  doing  so. 

General  Accounting  Office  "Federal  Information 
System  Control  Audit  Manual"  (TISCAM). 

The  FISCAM  methodology  provides  guidance  to  auditors  in 
evaluating  internal  controls  over  the  confidentiality,  integrity,  and 
availability  of  data  maintained  in  computer-based  information 
systems. 

NIST  Special  Publication  800-14,  "Generally  Accepted 
Principles  and  Practices  for  Security  Information 
Technology  Systems." 

This  publication  guides  organizations  on  the  types  of  controls, 
objectives,  and  procedures  that  comprise  an  effective  security 
program. 

NIST  Special  Publication  800-18,  "Guide  for 
Developing  Security  Plans  for  Information  Technology 
Systems." 

This  publication  details  the  specific  controls  that  should  be 
documented  in  a  system  security  plan. 

Defense  Authorization  Act  (T.L.  106-398)  including 
Title  X,  Subtitle  G,  "Government  Information  Security 
Reform"  (GISRA) 

The  act  primarily  addresses  the  program  management  and  evaluation 
aspects  of  security. 

Office  of  the  Manager,  National  Communications 
Systems,  "Public  Switched  Network  Security 
Assessment  Guidelines." 

The  guide  describes  a  risk  assessment  procedure,  descriptions  of  a 
comprehensive  security  program,  and  a  summary  checklist. 

Federal  Information  Processing  Standards. 

These  documents  contain  mandates  and/or  guidance  for  improving 
the  utilization  and  management  of  computers  and  IT  systems  in  the 
Federal  Government. 
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Overview 

Information  and  the  systems  that  process  it  are  among  the  most  valuable  assets  of  any 
organization.  Adequate  security  of  these  assets  is  a  fundamental  management  responsibility. 
Consistent  with  Office  of  Management  and  Budget  (OMB)  policy,  each  agency  must 
implement  and  maintain  a  program  to  adequately  secure  its  information  and  system  assets. 
Agency  programs  must:  1)  assure  that  systems  and  applications  operate  effectively  and 
provide  appropriate  confidentiality,  integrity,  and  availability;  and  2)  protect  information 
commensurate  with  the  level  of  risk  and  magnitude  of  harm  resulting  from  loss,  misuse, 
unauthorized  access,  or  modification. 

Agencies  must  plan  for  security,  and  ensure  that  the  appropriate  officials  are  assigned 
security  responsibility  and  authorize  system  processing  prior  to  operations  and  periodically 
thereafter.  These  management  responsibilities  presume  that  responsible  agency  officials 
understand  the  risks  and  other  factors  that  could  negatively  impact  their  mission  goals. 
Moreover,  these  officials  must  understand  the  current  status  of  security  programs  and 
controls  in  order  to  make  informed  judgments  and  investments  that  appropriately  mitigate 
risks  to  an  acceptable  level. 

The  Federal  Information  Technology  (IT)  Security  Assessment  Framework  (or  Framework) 
provides  a  method  for  agency  officials  to  1 )  determine  the  current  status  of  their  security 
programs  relative  to  existing  policy  and  2)  where  necessary,  establish  a  target  for 
improvement.  It  does  not  establish  new  security  requirements.  The  Framework  may  be  used 
to  assess  the  status  of  security  controls  for  a  given  asset  or  collection  of  assets.  These  assets 
include  information,  individual  systems  (e.g.,  major  applications,  general  support  systems, 
mission  critical  systems),  or  a  logically  related  grouping  of  systems  that  support  operational 
programs,  or  operational  programs  (e.g.,  Air  Traffic  Control,  Medicare,  Student  Aid). 
Assessing  all  asset  security  controls  and  all  interconnected  systems  that  the  asset  depends  on 
produces  a  picture  of  both  the  security  condition  of  an  agency  component  and  of  the  entire 
agency. 

The  Framework  comprises  five  levels  to  guide  agency  assessment  of  their  security  programs 
and  assist  in  prioritizing  efforts  for  improvement.  Coupled  with  the  NIST-prepared  self- 
assessment  questionnaire5,  the  Framework  provides  a  vehicle  for  consistent  and  effective 
measurement  of  the  security  status  for  a  given  asset.  The  security  status  is  measured  by 
determining  if  specific  security  controls  are  documented,  implemented,  tested  and  reviewed, 
and  incorporated  into  a  cyclical  review/improvement  program,  as  well  as  whether 
unacceptable  risks  are  identified  and  mitigated.  The  NIST  questionnaire  provides  specific 
questions  that  identify  the  control  criteria  against  which  agency  policies,  procedures,  and 
security  controls  can  be  compared.  Appendix  A  contains  a  sample  of  the  upcoming  NIST 
Special  Publication. 

The  Framework  is  divided  into  five  levels:  Level  1  of  the  Framework  reflects  that  an  asset 
has  documented  security  policy.  At  level  2,  the  asset  also  has  documented  procedures  and 
controls  to  implement  the  policy.  Level  3  indicates  that  procedures  and  controls  have  been 
implemented.  Level  4  shows  that  the  procedures  and  controls  are  tested  and  reviewed.  At 
level  5,  the  asset  has  procedures  and  controls  fully  integrated  into  a  comprehensive  program. 


5  The  NIST  Self-assessment  Questionnaire  will  be  issued  in  2001  as  a  NIST  Special  Publication. 
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Each  level  represents  a  more  complete  and  effective  security  program.  OMB  and  the  Council 
recognize  that  the  security  needs  for  the  tens  of  thousands  of  Federal  information  systems 
differ.  Agencies  should  note  that  testing  the  effectiveness  of  the  asset  and  all  interconnected 
systems  that  the  asset  depends  on  is  essential  to  understanding  whether  risk  has  been  properly 
mitigated.  When  an  individual  system  does  not  achieve  level  4,  agencies  should  determine 
whether  that  system  meets  the  criteria  found  in  OMB  Memorandum  M00-07  (February  28, 
2000)  "Incorporating  and  Funding  Security  in  Information  Systems  Investments."  Agencies 
should  seek  to  bring  all  assets  to  level  4  and  ultimately  level  5. 

Integral  to  all  security  programs  whether  for  an  asset  or  an  entire  agency  is  a  risk  assessment 
process  that  includes  determining  the  level  of  sensitivity  of  information  and  systems.  Many 
agencies  have  developed  their  own  methods  of  making  these  determinations.  For  example, 
the  Department  of  Health  and  Human  Services  uses  a  four—track  scale  for  confidentiality, 
integrity,  and  availability.  The  Department  of  Energy  uses  five  groupings  or  "clusters"  to 
address  sensitivity.  Regardless  of  the  method  used,  the  asset  owner  is  responsible  for 
determining  how  sensitive  the  asset  is,  what  level  of  risk  is  acceptable,  and  which  specific 
controls  are  necessary  to  provide  adequate  security  to  that  asset.  Again,  each  implemented 
security  control  must  be  periodically  tested  for  effectiveness.  The  decision  to  implement  and 
the  results  of  the  testing  should  be  documented. 
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1.  Framework  Description 

The  Federal  Information  Technology  Security  Assessment  Framework  (Framework) 
identifies  five  levels  of  IT  security  program  effectiveness  (see  Figure  1).  The  five  levels 
measure  specific  management,  operational,  and  technical  control  objectives.  Each  of  the  five 
levels  contains  criteria  to  determine  if  the  level  is  adequately  implemented.  For  example,  in 
Level  1,  all  written  policy  should  contain  the  purpose  and  scope  of  the  policy,  the 
individual(s)  responsible  for  implementing  the  policy,  and  the  consequences  and  penalties  for 
not  following  the  policy.  The  policy  for  an  individual  control  must  be  reviewed  to  ascertain 
that  the  criteria  for  level  1  are  met.  Assessing  the  effectiveness  of  the  individual  controls,  not 
simply  their  existence,  is  key  to  achieving  and  maintaining  adequate  security. 

The  asset  owner,  in  partnership  with  those  responsible  for  administering  the  information 
assets  (which  include  IT  systems),  must  determine  whether  the  measurement  criteria  are 
being  met  at  each  level.  Before  making  such  a  determination,  the  degree  of  sensitivity  of 
information  and  systems  must  be  determined  by  considering  the  requirements  for 
confidentiality,  integrity,  and  availability  of  both  the  information  and  systems  —  the  value  of 
information  and  systems  is  one  of  the  major  factors  in  risk  management. 

A  security  program  may  be  assessed  at  various  levels  within  an  organization.  For  example,  a 
program  could  be  defined  as  an  agency  asset,  a  major  application,  general  support  system, 
high  impact  program,  physical  plant,  mission  critical  system,  or  logically  related  group  of 
systems.  The  Framework  refers  to  this  grouping  as  an  asset. 

The  Framework  describes  an  asset  self-assessment  and  provides  levels  to  guide  and  prioritize 
agency  efforts  as  well  as  a  basis  to  measure  progress.  In  addition,  the  National  Institute  of 
Standards  and  Technology  (NIST)  will  develop  a  questionnaire  that  gives  the  implementation 
tools  for  the  Framework.  The  questionnaire  will  contain  specific  control  objectives  that 
should  be  applied  to  secure  a  system. 

Figure  1  -  Federal  IT  Security  Assessment  Framework 


Level  1 

Documented  Policy 

Level  2 

Documented  Procedures 

Level  3 

Implemented  Procedures  and  Controls 

Level  4 

Tested  and  Reviewed  Procedures  and  Controls 

Level  5 

Fully  Integrated  Procedures  and  Controls 
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The  Framework  approach  begins  with  the  premise  that  all  agency  assets  must  meet  the 
minimum  security  requirements  of  the  Office  of  Management  and  Budget  Circular 
A- 130,  "Management  of  Federal  Resources",  Appendix  III,  "Security  of  Federal  Automated 
Information  Resources"  (A- 130).  The  criteria  that  are  outlined  in  the  Framework  and 
provided  in  detail  in  the  questionnaire  are  abstracted  directly  from  long-standing 
requirements  found  in  statute,  policy,  and  guidance  on  security  and  privacy.  It  should  be 
noted  that  an  agency  might  have  additional  laws,  regulations,  or  policies  that  establish 
specific  requirements  for  confidentiality,  integrity,  or  availability.  Each  agency  should  decide 
if  additional  security  controls  should  be  added  to  the  questionnaire  and,  if  so,  customize  the 
questionnaire  appropriately.  A  list  of  the  documents  that  the  Framework  and  the 
questionnaire  draw  upon  is  provided  in  Figure  2. 
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Figure  2  -  Source  of  Control  Criteria 


Office  of  Management  and  Budget  Circular  A- 130, 
"Management  of  Federal  Information  Resources", 
Appenuix  in,   occuniy  01  reucrai  Auiuuidieu 
Information  Resources." 

Establishes  a  minimum  set  of  controls  to  be  included  in  Federal  IT 
security  programs. 

Computer  Security  Act  of  1 987. 

This  statute  set  the  stage  for  protecting  systems  by  codifying  the 
requirement  for  Government-wide  IT  security  planning  and  training. 

Paperwork  Reduction  Act  of  1995. 

The  PRA  established  a  comprehensive  information  resources 
management  framework  including  security  and  subsumed  the 
security  responsibilities  of  the  Computer  Security  Act  of  1987. 

Clinger-Cohen  Act  of  1996. 

This  Act  linked  security  to  agency  capital  planning  and  budget 
processes,  established  agency  Chief  Information  Officers,  and  re- 
codified the  Computer  Security  Act  of  1987. 

Presidential  Decision  Directive  63,  "Protecting 

Amf*rif*fi'^  CVitipal  TirfraQtritPtnrpQ  " 

/A.IHV1  iva  j  V  1  u!Lai   Hill  floll  UWLUl  W^n 

This  directive  specifies  agency  responsibilities  for  protecting  the 
nation's  infrastructure,  assessing  vulnerabilities  of  public  and  private 
sectors,  and  eliminating  vulnerabilities. 

Presidential  Decision  Directive  67,  "Enduring 

(""nnQtitntinnftl  nnvprnmfnt  firtH  f^fYntiriiiifrv  nf 

V.               tU  UUlkll  VJUVtl  IlillLlll  O.UU            J 11 1 1 U  I  ly  \J  1 

Government." 

Relates  to  ensuring  constitutional  government,  continuity  of 
operations  (COOP)  planning,  and  continuity  of  government  (COG) 
operations 

OMB  Memorandum  99-05,  Instructions  on  Complying 
with  President's  Memorandum  of  Mav  14,  1998, 
"Privacy  and  Personal  Information  in  Federal  Records." 

This  memorandum  provides  instructions  to  agencies  on  how  to 
comply  with  the  President's  Memorandum  of  May  14,  1998  on 
"Privacy  and  Personal  Information  in  Federal  Records." 

OMB  Memorandum  99-18,  "Privacy  Policies  on 
Federal  Web  Sites." 

This  memorandum  directs  Departments  and  Agencies  to  post  clear 
privacy  policies  on  World  Wide  Web  sites,  and  provides  guidance 
for  doing  so. 

OMB  Memorandum  00-13,  "Privacy  Policies  and  Data 
Collection  on  Federal  Web  Sites." 

The  purpose  of  this  memorandum  is  a  reminder  that  each  agency  is 
required  by  law  and  policy  to  establish  clear  privacy  policies  for  its 
web  activities  and  to  comply  with  those  policies. 

General  Accounting  Office  "Federal  Information 

The  FISCAM  methodology  provides  guidance  to  auditors  in 
evaluating  internal  controls  over  the  confidentiality,  integrity,  and 
availability  of  data  maintained  in  computer-based  information 
systems. 

System  Control  Audit  Manual"  (FISCAM). 

NIST  Special  Publication  800-14,  "Generally  Accepted 

This  publication  guides  organizations  on  the  types  of  controls, 
objectives,  and  procedures  that  comprise  an  effective  security 
program. 

Principles  and  Practices  for  Security  Information 
Technology  Systems." 

NIST  Special  Publication  800-18,  "Guide  for 
Developing  Security  Plans  for  Information  Technology 
Systems." 

This  publication  details  the  specific  controls  that  should  be 
documented  in  a  system  security  plan. 

Federal  Information  Processing  Standards. 

This  document  contains  legislative  and  executive  mandates  for 
improving  the  utilization  and  management  of  computers  and  IT 
systems  in  the  Federal  Government. 
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2.  Documented  Policy  -  Level  1 

2.1  Description 

Level  1  of  the  Framework  includes: 

•  Formally  documented  and  disseminated  security  policy  covering  agency  headquarters 
and  major  components  (e.g.,  bureaus  and  operating  divisions).  The  policy  may  be  asset 
specific. 

•  Policy  that  references  most  of  the  basic  requirements  and  guidance  issued  from  the 
documents  listed  in  Figure  2  -  Source  of  Control  Criteria. 

An  asset  is  at  level  1  if  there  is  a  formally,  up-to-date  documented  policy  that  establishes  a 
continuing  cycle  of  assessing  risk,  implements  effective  security  policies  including  training, 
and  uses  monitoring  for  program  effectiveness.  Such  a  policy  may  include  major  agency 
components,  (e.g.,  bureaus  and  operating  divisions)  or  specific  assets. 

A  documented  security  policy  is  necessary  to  ensure  adequate  and  cost  effective 
organizational  and  system  security  controls.  A  sound  policy  delineates  the  security 
management  structure  and  clearly  assigns  security  responsibilities,  and  lays  the  foundation 
necessary  to  reliably  measure  progress  and  compliance.  The  criteria  listed  below  should  be 
applied  when  assessing  the  policy  developed  for  the  controls  that  are  listed  in  the  NIST 
questionnaire. 

2.2  Criteria 

Level  1  criteria  describe  the  components  of  a  security  policy.  

Criteria  for  Level  1 

a.  Purpose  and  scope.  An  up-to-date  security  policy  is  written  that  covers  all  major  facilities  and 
operations  agency-wide  or  for  the  asset.  The  policy  is  approved  by  key  affected  parties  and  covers 
security  planning,  risk  management,  review  of  security  controls,  rules  of  behavior,  life-cycle 
management,  processing  authorization,  personnel,  physical  and  environmental  aspects,  computer  support 
and  operations,  contingency  planning,  documentation,  training,  incident  response,  access  controls,  and 
audit  trails.  The  policy  clearly  identifies  the  purpose  of  the  program  and  its  scope  within  the  organization. 

b.  Responsibilities.  The  security  program  comprises  a  security  management  structure  with  adequate 
authority,  and  expertise.  IT  security  manager(s)  are  appointed  at  an  overall  level  and  at  appropriate 
subordinate  levels.  Security  responsibilities  and  expected  behaviors  are  clearly  defined  for  asset  owners 
and  users,  information  resources  management  and  data  processing  personnel,  senior  management,  and 
security  administrators. 

c.  Compliance.  General  compliance  and  specified  penalties  and  disciplinary  actions  are  also  identified  in 
the  policy. 
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3.  Documented  Procedures  -  Level  2 

3.1  Description 

Level  2  of  the  Framework  includes: 

•  Formal,  complete,  well-documented  procedures  for  implementing  policies  established  at 
level  one. 

•  The  basic  requirements  and  guidance  issued  from  the  documents  listed  in  Figure  2  - 
Source  of  Control  Criteria. 

An  asset  is  at  level  2  when  formally  documented  procedures  are  developed  that  focus  on 
implementing  specific  security  controls.  Formal  procedures  promote  the  continuity  of  the 
security  program.  Formal  procedures  also  provide  the  foundation  for  a  clear,  accurate,  and 
complete  understanding  of  the  program  implementation.  An  understanding  of  the  risks  and 
related  results  should  guide  the  strength  of  the  control  and  the  corresponding  procedures.  The 
procedures  document  the  implementation  of  and  the  rigor  in  which  the  control  is  applied. 
Level  2  requires  procedures  for  a  continuing  cycle  of  assessing  risk  and  vulnerabilities, 
implementing  effective  security  policies,  and  monitoring  effectiveness  of  the  security 
controls.  Approved  system  security  plans  are  in  place  for  all  assets. 

Well-documented  and  current  security  procedures  are  necessary  to  ensure  that  adequate  and 
cost  effective  security  controls  are  implemented.  The  criteria  listed  below  should  be  applied 
when  assessing  the  quality  of  the  procedures  for  controls  outlined  in  the  NIST  questionnaire. 

3.2  Criteria 

Level  2  criteria  describe  the  components  of  security  procedures.  

Criteria  for  Level  2 

a.  Control  areas  listed  and  organization's  position  stated.  Up-to-date  procedures  are  written  that 
covers  all  major  facilities  and  operations  within  the  asset.  The  procedures  are  approved  by  key 
responsible  parties  and  cover  security  policies,  security  plans,  risk  management,  review  of  security 
controls,  rules  of  behavior,  life-cycle  management,  processing  authorization,  personnel,  physical  and 
environmental  aspects,  computer  support  and  operations,  contingency  planning,  documentation,  training, 
incident  response,  access  controls,  and  audit  trails.  The  procedures  clearly  identify  management's 
position  and  whether  there  are  further  guidelines  or  exceptions. 

b.  Applicability  of  procedures  documented.  Procedures  clarify  where,  how,  when,  to,  whom,  and  about 
what  a  particular  procedure  applies. 

c.  Assignment  of  IT  security  responsibilities  and  expected  behavior.  Procedures  clearly  define 
security  responsibilities  and  expected  behaviors  for  (1)  asset  owners  and  users,  (2)  information  resources 
management  and  data  processing  personnel,  (3)  management,  and  (4)  security  administrators. 

d.  Points  of  contact  and  supplementary  information  provided.  Procedures  contain  appropriate 
individuals  to  be  contacted  for  further  information,  guidance,  and  compliance. 
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4.  Implemented  Procedures  and  Controls  -  Level  3 

4.1  Description 

Level  3  of  the  Framework  includes: 

•  Security  procedures  and  controls  that  are  implemented. 

•  Procedures  that  are  communicated  and  individuals  who  are  required  to  follow  them. 

At  level  3,  the  IT  security  procedures  and  controls  are  implemented  in  a  consistent  manner 
and  reinforced  through  training.  Ad  hoc  approaches  that  tend  to  be  applied  on  an  individual 
or  case-by-case  basis  are  discouraged.  Security  controls  for  an  asset  could  be  implemented 
and  not  have  procedures  documented,  but  the  addition  of  formal  documented  procedures  at 
level  2  represents  a  significant  step  in  the  effectiveness  of  implementing  procedures  and 
controls  at  level  3.  While  testing  the  on-going  effectiveness  is  not  emphasized  in  level  3, 
some  testing  is  needed  when  initially  implementing  controls  to  ensure  they  are  operating  as 
intended.  The  criteria  listed  below  should  be  used  to  determine  if  the  specific  controls  listed 
in  the  NIST  questionnaire  are  being  implemented. 

4.2  Criteria 

Level  3  criteria  describe  how  an  organization  can  ensure  implementation  of  their  security 
procedures. 


Criteria  for  Level  3 

a.  Owners  and  users  are  made  aware  of  security  policies  and  procedures.  Security  policies  and 
procedures  are  distributed  to  all  affected  personnel,  including  system/application  rules  and  expected 
behaviors.  Requires  users  to  periodically  acknowledge  their  awareness  and  acceptance  of  responsibility 
for  security. 

b.  Policies  and  procedures  are  formally  adopted  and  technical  controls  installed.  Automated  and 
other  tools  routinely  monitor  security.  Established  policy  governs  review  of  system  logs,  penetration 
testing,  and  internal/external  audits. 

c.  Security  is  managed  throughout  the  life  cycle  of  the  system.  Security  is  considered  in  each  of  the 
life-cycle  phases:  initiation,  development/acquisition,  implementation,  operation,  and  disposal. 

d.  Procedures  established  for  authorizing  processing  (certification  and  accreditation).  Management 
officials  must  formally  authorize  system  operations  and  manage  risk. 

e.  Documented  security  position  descriptions.  Skill  needs  and  security  responsibilities  in  job 
descriptions  are  accurately  identified. 

f.  Employees  trained  on  security  procedures.  An  effective  training  and  awareness  program  tailored  for 
varying  job  functions  is  planned,  implemented,  maintained,  and  evaluated. 


C-9 


Appendix  C 
Federal  IT  Security  Assessment  Framework 


5.  Tested  and  Evaluated  Procedures  and  Controls  -  Level  4 
5.7  Description 

Level  4  of  the  Framework  includes: 

•  Routinely  evaluating  the  adequacy  and  effectiveness  of  security  policies,  procedures,  and 
controls. 

•  Ensuring  that  effective  corrective  actions  are  taken  to  address  identified  weaknesses, 
including  those  identified  as  a  result  of  potential  or  actual  security  incidents  or  through 
security  alerts  issued  by  FedCIRC,  vendors,  and  other  trusted  sources. 

Routine  evaluations  and  response  to  identified  vulnerabilities  are  important  elements  of  risk 
management,  which  includes  identifying,  acknowledging,  and  responding,  as  appropriate,  to 
changes  in  risk  factors  (e.g.,  computing  environment,  data  sensitivity)  and  ensuring  that 
security  policies  and  procedures  are  appropriate  and  are  operating  as  intended  on  an  ongoing 
basis. 

Routine  self-assessments  are  an  important  means  of  identifying  inappropriate  or  ineffective 
security  procedures  and  controls,  reminding  employees  of  their  security-related 
responsibilities,  and  demonstrating  management's  commitment  to  security.  Self-assessments 
can  be  performed  by  agency  staff  or  by  contractors  or  others  engaged  by  agency 
management.  Independent  audits  such  as  those  arranged  by  the  General  Accounting  Office 
(GAO)  or  an  agency  Inspector  General  (IG),  are  an  important  check  on  agency  performance, 
but  should  not  be  viewed  as  a  substitute  for  evaluations  initiated-by  agency  management. 

To  be  effective,  routine  evaluations  must  include  tests  and  examinations  of  key  controls. 
Reviews  of  documentation,  walk-throughs  of  agency  facilities,  and  interviews  with  agency 
personnel,  while  providing  useful  information,  are  not  sufficient  to  ensure  that  controls, 
especially  computer-based  controls,  are  operating  effectively.  Examples  of  tests  that  should 
be  conducted  are  network  scans  to  identify  known  vulnerabilities,  analyses  of  router  and 
switch  settings  and  firewall  rules,  reviews  of  other  system  software  settings,  and  tests  to  see 
if  unauthorized  system  access  is  possible  (penetration  testing).  Tests  performed  should 
consider  the  risks  of  authorized  users  exceeding  authorization  as  well  as  unauthorized  users 
(e.g.,  external  parties,  hackers)  gaining  access.  Similar  to  levels  1  through  3,  to  be 
meaningful,  evaluations  must  include  security  controls  of  interconnected  assets,  e.g.,  network 
supporting  applications  being  tested. 

When  assets  are  first  implemented  or  are  modified,  they  should  be  tested  and  certified  to 
ensure  that  controls  are  initially  operating  as  intended.  (This  would  occur  at  Level  3.) 
Requirements  for  subsequent  testing  and  recertification  should  be  integrated  into  an  agency's 
ongoing  test  and  evaluation  program. 

In  addition  to  test  results,  agency  evaluations  should  consider  information  gleaned  from 
records  of  potential  and  actual  security  incidents  and  from  security  alerts,  such  as  those 
issued  by  software  vendors.  Such  information  can  identify  specific  vulnerabilities  and 
provide  insights  into  the  latest  threats  and  resulting  risks. 
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The  criteria  listed  below  should  be  applied  to  each  control  area  listed  in  the  NIST 
questionnaire  to  determine  if  the  asset  is  being  effectively  evaluated. 

5.2  Criteria 

Level  4  criteria  are  listed  below.  

Criteria  for  Level  4 

a.  Effective  program  for  evaluating  adequacy  and  effectiveness  of  security  policies,  procedures,  and 
controls.  Evaluation  requirements,  including  requirements  regarding  the  type  and  frequency  of  testing, 
should  be  documented,  approved,  and  effectively  implemented.  The  frequency  and  rigor  with  which 
individual  controls  are  tested  should  depend  on  the  risks  that  will  be  posed  if  the  controls  are  not 
operating  effectively.  At  a  minimum,  controls  should  be  evaluated  whenever  significant  system  changes 
are  made  or  when  other  risk  factors,  such  as  the  sensitivity  of  data  processed,  change.  Even  controls  for 
inherently  low-risk  operations  should  be  tested  at  a  minimum  of  every  3  years. 

b.  Mechanisms  for  identifying  vulnerabilities  revealed  by  security  incidents  or  security  alerts. 

Agencies  should  routinely  analyze  security  incident  records,  including  any  records  of  anomalous  or 
suspicious  activity  that  may  reveal  security  vulnerabilities.  In  addition,  they  should  review  security  alerts 
issued  by  FedCIRC,  vendors,  and  others. 

c.  Process  for  reporting  significant  security  weaknesses  and  ensuring  effective  remedial 
action.  Such  a  process  should  provide  for  routine  reports  to  senior  management  on  weaknesses 
identified  through  testing  or  other  means,  development  of  action  plans,  allocation  of  needed 
resources,  and  follow-up  reviews  to  ensure  that  remedial  actions  have  been  effective.  Expedited 
processes  should  be  implemented  for  especially  significant  weaknesses  that  may  present  undue 
risk  if  not  addressed  immediately.  
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6.  Fully  Integrated  Procedures  and  Controls  -  Level  5 

6.1  Description 

Level  5  of  the  Framework  includes: 

•  A  comprehensive  security  program  that  is  an  integral  part  of  an  agency's  organizational 
culture. 

•  Decision-making  based  on  cost,  risk,  and  mission  impact. 

The  consideration  of  IT  security  is  pervasive  in  the  culture  of  a  level  5  asset.  A  proven  life- 
cycle  methodology  is  implemented  and  enforced  and  an  ongoing  program  to  identify  and 
institutionalize  best  practices  has  been  implemented.  There  is  active  support  from  senior 
management.  Decisions  and  actions  that  are  part  of  the  IT  life  cycle  include: 

Improving  security  program 

Improving  security  program  procedures 

Improving  or  refining  security  controls 

Adding  security  controls 

Integrating  security  within  existing  and  evolving  IT  architecture 
Improving  mission  processes  and  risk  management  activities 

Each  of  these  decisions  result  from  a  continuous  improvement  and  refinement  program 
instilled  within  the  organization.  At  level  5,  the  understanding  of  mission-related  risks  and 
the  associated  costs  of  reducing  these  risks  are  considered  with  a  full  range  of 
implementation  options  to  achieve  maximum  mission  cost-effectiveness  of  security 
measures.  Entities  should  apply  the  principle  of  selecting  controls  that  offer  the  lowest  cost 
implementation  while  offering  adequate  risk  mitigation,  versus  high  cost  implementation  and 
low  risk  mitigation.  The  criteria  listed  below  should  be  used  to  assess  whether  a  specific 
control  contained  in  the  NIST  questionnaire  has  been  fully  implemented. 

6.2  Criteria 

Level  5  criteria  describe  components  of  a  fully  integrated  security 

program.   „_____________„  ^  

Criteria  for  Level  5 

a.  There  is  an  active  enterprise-wide  security  program  that  achieves  cost-effective  security. 

b.  IT  security  is  an  integrated  practice  within  the  asset. 

c.  Security  vulnerabilities  are  understood  and  managed. 

d.  Threats  are  continually  re-evaluated,  and  controls  adapted  to  changing  security  environment. 

e.  Additional  or  more  cost-effective  security  alternatives  are  identified  as  the  need  arises. 

f.  Costs  and  benefits  of  security  are  measured  as  precisely  as  practicable. 

g.  Status  metrics  for  the  security  program  are  established  and  met. 
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7.  Future  of  the  Framework 

This  version  of  the  Framework  primarily  addresses  security  management  issues.  It  describes 
a  process  for  agencies  to  assess  their  compliance  with  long-standing  basic  requirements  and 
guidance.  With  the  Framework  in  place,  agencies  will  have  an  approach  to  begin  the 
assessment  process.  The  NIST  questionnaire  provides  the  tool  to  determine  whether  agencies 
are  meeting  these  requirements  and  following  the  guidance. 

The  Framework  is  not  static;  it  is  a  living  document.  Revisions  will  focus  on  expanding, 
refining,  and  providing  more  granularity  for  existing  criteria.  In  addition,  the  establishment  of 
a  similar  companion  framework  devoted  to  the  evolution  of  agency  electronic  privacy  polices 
may  be  considered  in  time. 

The  Framework  can  be  viewed  as  both  an  auditing  tool  and  a  management  tool. 

A  balance  between  operational  needs  and  cost  effective  security  for  acceptable  risk  will  need 

to  be  made  to  achieve  an  adequate  level  of  security. 

Currently,  the  NIST  self-assessment  tool  is  under  development  and  will  be  available  in  200 1 . 
Appendix  A  provides  a  sample  questionnaire  to  assist  agencies  until  NIST  officially  releases 
the  questionnaire. 
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Appendix  A 

Conceptual  Sample  of  NIST  Self- Assessment  Questionnaire 

Below  is  a  conceptual  sample  of  the  Hypothetical  Government  Agency's  (HGA)  completion 
of  the  NIST  questionnaire  for  their  Training  Database.  Before  the  questionnaire  was 
completed,  the  sensitivity  of  the  information  stored  within,  processed  by  and  transmitted  by 
this  asset  was  assessed.  The  premise  behind  determining  the  level  of  sensitivity  is  that  each 
asset  owner  is  responsible  for  determining  what  level  of  risk  is  acceptable,  and  which  specific 
security  controls  are  necessary  to  provide  adequate  security. 

The  sensitivity  of  this  asset  was  determined  to  be  high  for  confidentiality  and  low  for 
integrity  and  availability.  The  confidentiality  of  the  system  is  high  due  to  the  system 
containing  personnel  information.  Employee  social  security  numbers,  course  lists,  and  grades 
are  contained  in  the  system.  The  integrity  of  the  database  is  considered  low  because  if  the 
information  were  modified  by  unauthorized,  unanticipated  or  unintentional  means, 
employees,  who  can  read  their  own  training  file,  would  detect  the  modifications.  The 
availability  of  the  system  is  considered  low  because  hard  copies  of  the  training  forms  are 
available  as  a  backup. 

The  questionnaire  was  completed  for  the  database  with  the  understanding  that  security 
controls  that  protect  the  integrity  or  availability  of  the  data  did  not  have  to  be  rigidly  applied. 
The  questionnaire  contains  a  field  that  can  be  checked  when  a  risk-based  decision  has  been 
made  to  either  reduce  or  enhance  a  security  control.  There  may  be  certain  situations  where 
management  will  grant  a  waiver  either  because  compensating  controls  exist  or  because  the 
benefits  of  operating  without  the  control  (at  least  temporarily)  outweigh  the  risk  of  waiting 
for  full  control  implementation.  Alternatively,  there  may  be  times  where  management 
implements  more  stringent  controls  than  generally  applied  elsewhere.  In  the  example 
provided  the  specific  control  objectives  for  personnel  security  and  for  authentication  were 
assessed.  The  questionnaire  is  an  excerpt  and  by  no  means  contains  all  the  questions  that 
would  be  asked  in  the  area  of  personnel  security  and  authentication.  For  brevity,  only  a  few 
questions  were  provided  in  this  sample. 

An  analysis  of  the  levels  checked  determined  that  the  agency  should  target  improving  their 
background  screening  implementation  and  testing.  System  administrators,  programmers,  and 
managers  should  all  have  background  checks  completed  prior  to  accessing  the  system.  The 
decision  to  allow  access  prior  to  screening  was  made  and  checked  in  the  Risk  Based  Decision 
Made  box.  Because  this  box  was  checked,  there  should  be  specific  controls  implemented  to 
ensure  access  is  not  abused,  i.e.,  access  is  reviewed  daily  through  audit  trails,  and  users  have 
minimal  system  authority. 

Additionally,  HGA  should  improve  implementing  and  testing  their  password  procedures 
because  of  the  strong  need  for  confidentiality.  Without  good  password  management, 
passwords  can  be  easily  guessed  and  access  to  the  system  obtained.  The  questionnaire's  list 
of  objectives  is  incomplete  for  both  personnel  security  controls  and  for  authentication 
controls.  Even  though  the  sample  is  lacking  many  controls,  the  completed  questionnaire 
clearly  depicts  that  HGA  has  policies  and  procedures  in  place  but  there  is  a  strong  need  for 
implementing,  testing,  and  reviewing  the  procedures  and  controls.  The  sample  indicates  that 
the  Training  Database  would  be  at  level  2. 
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Category  of  Sensitivity 

Confidentiality 

Integrity 

Availability 

High 

X 

Medium 

Low 

X 

X 

Specific  Control  Objectives 

i  t 
L.  1 

Policy 

Yj.L 
Procedures 

Yj.5 
Implemented 

T  A 

Tested 

Integrated 

Rick  Rnsprl 

Decision 
Made 

Personnel  Security 

Are  all  positions  reviewed  for  sensitivity 
level? 

A 

A 

A 

Is  appropriate  background  screening  for 
assigned  positions  completed  prior  to  granting 
access? 

A 

A 

Y 
A 

Are  there  conditions  for  allowing  system 
access  prior  10  completion  01  screening: 

X 

X 

/\re  sensitive  runctions  oiviaeu  among 
different  individuals? 

Y 
A 

Y 
A 

Y 
A 

Are  mecnamsms  in  piace  ior  noiuing  users 
responsible  for  their  actions? 

Y 
A 

Y 
A 

Are  termination  proceuures  esiaoiisneu; 

Y 
A 

Y 
A 

Authentication 

Are  passwords,  tokens,  or  biometrics  used? 

V 
A 

-vr 
A 

A 

Do  passwords  contain  alpha  numeric, 
upper/lower  case,  and  special  characters? 

X 

X 

Are  passwords  changed  at  least  every  ninety 
days  or  earlier  if  needed? 

X 

X 

Is  there  guidance  for  handling  lost  and 
compromised  passwords? 

X 

X 

Are  passwords  transmitted  and  stored  with 
one-way  encryption? 

X 

X 

Is  there  a  limit  to  the  number  of  invalid  access 
attempts  that  may  occur  for  a  given  user? 

X 

X 
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Terminology 

Acceptable  Risk  is  a  concern  that  is  acceptable  to  responsible  management,  due  to  the  cost 
and  magnitude  of  implementing  controls. 

Accreditation  is  synonymous  with  the  term  authorize  processing.  Accreditation  is  the 
authorization  and  approval  granted  to  a  major  application  or  general  support  system  to 
process  in  an  operational  environment.  It  is  made  on  the  basis  of  a  certification  by 
designated  technical  personnel  that  the  system  meets  pre-specified  technical  requirements  for 
achieving  adequate  system  security.  See  also  Authorize  Processing,  Certification,  and 
Designated  Approving  Authority. 

Asset  is  a  major  application,  general  support  system,  high  impact  program,  physical  plant, 
mission  critical  system,  or  a  logically  related  group  of  systems. 

Authorize  Processing  occurs  when  management  authorizes  in  writing  a  system  based  on  an 
assessment  of  management,  operational,  and  technical  controls.  By  authorizing  processing  in 
a  system  the  management  official  accepts  the  risks  associated  with  it.  See  also  Accreditation, 
Certification,  and  Designated  Approving  Authority. 

Availability  Protection  requires  backup  of  system  and  information,  contingency  plans, 
disaster  recovery  plans,  and  redundancy.  Examples  of  systems  and  information  requiring 
availability  protection  are  time-share  systems,  mission-critical  applications,  time  and 
attendance,  financial,  procurement,  or  life-critical. 

Awareness,  Training,  and  Education  includes  (1)  awareness  programs  set  the  stage  for 
training  by  changing  organizational  attitudes  towards  realization  of  the  importance  of 
security  and  the  adverse  consequences  of  its  failure;  (2)  the  purpose  of  training  is  to  teach 
people  the  skills  that  will  enable  them  to  perform  their  jobs  more  effectively;  and  (3) 
education  is  more  in-depth  than  training  and  is  targeted  for  security  professionals  and  those 
whose  jobs  require  expertise  in  IT  security. 

Certification  is  synonymous  with  the  term  authorize  processing.  Certification  is  a  major 
consideration  prior  to  authorizing  processing,  but  not  the  only  consideration.  Certification  is 
the  technical  evaluation  that  establishes  the  extent  to  which  a  computer  system,  application, 
or  network  design  and  implementation  meets  a  pre-specified  set  of  security  requirements. 
See  also  Accreditation  and  Authorize  Processing. 

General  Support  System  is  an  interconnected  information  resource  under  the  same  direct 
management  control  that  shares  common  functionality.  It  normally  includes  hardware, 
software,  information,  data,  applications,  communications,  facilities,  and  people  and  provides 
support  for  a  variety  of  users  and/or  applications.  Individual  applications  support  different 
mission-related  functions.  Users  may  be  from  the  same  or  different  organizations. 

Individual  Accountability  requires  individual  users  to  be  held  accountable  for  their  actions 
after  being  notified  of  the  rules  of  behavior  in  the  use  of  the  system  and  the  penalties 
associated  with  the  violation  of  those  rules. 
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Information  Owner  is  responsible  for  establishing  the  rules  for  appropriate  use  and 
protection  of  the  data/information.  The  information  owner  retains  that  responsibility  even 
when  the  data/information  are  shared  with  other  organizations. 

Major  Application  is  an  application  that  requires  special  attention  to  security  due  to  the  risk 
and  magnitude  of  the  harm  resulting  from  the  loss,  misuse,  or  unauthorized  access  to,  or 
modification  of,  the  information  in  the  application.  A  breach  in  a  major  application  might 
comprise  many  individual  application  programs  and  hardware,  software,  and 
telecommunications  components.  Major  applications  can  be  either  a  major  software 
application  or  a  combination  of  hardware/software  where  the  only  purpose  of  the  system  is  to 
support  a  specific  mission-related  function. 

Material  Weakness  or  significant  weakness  is  used  to  identify  control  weaknesses  that  pose 
a  significant  risk  or  a  threat  to  the  operations  and/or  assets  of  an  audited  entity.  "Material 
weakness"  is  a  very  specific  term  that  is  defined  one  way  for  financial  audits  and  another  way 
for  weaknesses  reported  under  the  Federal  Managers  Financial  Integrity  Act  of  1982.  Such 
weaknesses  may  be  identified  by  auditors  or  by  management. 

Networks  include  communication  capability  that  allows  one  user  or  system  to  connect  to 
another  user  or  system  and  can  be  part  of  a  system  or  a  separate  system.  Examples  of 
networks  include  local  area  network  or  wide  area  networks,  including  public  networks  such 
as  the  Internet. 

Operational  Controls  address  security  methods  that  focus  on  mechanisms  that  primarily  are 
implemented  and  executed  by  people  (as  opposed  to  systems). 

Policy  a  document  that  delineates  the  security  management  structure  and  clearly  assigns 
security  responsibilities  and  lays  the  foundation  necessary  to  reliably  measure  progress  and 
compliance. 

Procedures  are  contained  in  a  document  that  focuses  on  the  security  control  areas  and 
management's  position. 

Risk  is  the  possibility  of  harm  or  loss  to  any  software,  information,  hardware,  administrative, 
physical,  communications,  or  personnel  resource  within  an  automated  information  system  or 
activity. 

Risk  Management  is  the  ongoing  process  of  assessing  the  risk  to  automated  information 
resources  and  information,  as  part  of  a  risk-based  approach  used  to  determine  adequate 
security  for  a  system  by  analyzing  the  threats  and  vulnerabilities  and  selecting  appropriate 
cost-effective  controls  to  achieve  and  maintain  an  acceptable  level  of  risk. 

Rules  of  Behavior  are  the  rules  that  have  been  established  and  implemented  concerning  use 
of,  security  in,  and  acceptable  level  of  risk  for  the  system.  Rules  will  clearly  delineate 
responsibilities  and  expected  behavior  of  all  individuals  with  access  to  the  system.  Rules 
should  cover  such  matters  as  work  at  home,  dial-in  access,  connection  to  the  Internet,  use  of 
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copyrighted  works,  unofficial  use  of  Federal  government  equipment,  assignment  and 
limitation  of  system  privileges,  and  individual  accountability. 

Sensitive  Information  refers  to  information  whose  loss,  misuse,  or  unauthorized  access  to  or 
modification  of  could  adversely  affect  the  national  interest  or  the  conduct  of  Federal 
programs  or  the  privacy  to  which  individuals  are  entitled. 

Sensitivity  an  information  technology  environment  consists  of  the  system,  data,  and 
applications  that  must  be  examined  individually  and  in  total.  All  systems  and  applications 
require  some  level  of  protection  for  confidentiality,  integrity,  and/or  availability  that  is 
determined  by  an  evaluation  of  the  sensitivity  of  the  information  processed,  the  relationship 
of  the  system  to  the  organizations  mission,  and  the  economic  value  of  the  system 
components. 

System  is  a  generic  term  used  for  briefness  to  mean  either  a  major  application  or  a  general 
support  system. 

System  Operational  Status  is  either  (1)  Operational  -  system  is  currently  in  operation,  (2) 
Under  Development  -  system  is  currently  under  design,  development,  or  implementation,  or 
(3)  Undergoing  a  Major  Modification  -  system  is  currently  undergoing  a  major  conversion  or 
transition. 

Technical  Controls  consist  of  hardware  and  software  controls  used  to  provide  automated 
protection  to  the  system  or  applications.  Technical  controls  operate  within  the  technical 
system  and  applications. 

Threat  is  an  event  or  activity,  deliberate  or  unintentional,  with  the  potential  for  causing  harm 
to  an  IT  system  or  activity. 

Vulnerability  is  a  flaw  or  weakness  that  may  allow  harm  to  occur  to  an  IT  system  or  activity. 
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Technical  Publications 


Periodical 


Journal  of  Research  of  the  National  Institute  of  Standards  and  Technology — Reports  NIST  research 
and  development  in  metrology  and  related  fields  of  physical  science,  engineering,  applied  mathematics, 
statistics,  biotechnology,  and  information  technology.  Papers  cover  a  broad  range  of  subjects,  with  major 
emphasis  on  measurement  methodology  and  the  basic  technology  underlying  standardization.  Also  included 
from  time  to  time  are  survey  articles  on  topics  closely  related  to  the  Institute's  technical  and  scientific 
programs.  Issued  six  times  a  year. 

Nonperiodicals 


Monographs — Major  contributions  to  the  technical  literature  on  various  subjects  related  to  the 
Institute's  scientific  and  technical  activities. 

Handbooks — Recommended  codes  of  engineering  and  industrial  practice  (including  safety  codes)  devel- 
oped in  cooperation  with  interested  industries,  professional  organizations,  and  regulatory  bodies. 
Special  Publications — Include  proceedings  of  conferences  sponsored  by  NIST,  NIST  annual  reports,  and 
other  special  publications  appropriate  to  this  grouping  such  as  wall  charts,  pocket  cards,  and  bibliographies. 

National  Standard  Reference  Data  Series — Provides  quantitative  data  on  the  physical  and  chemical 
properties  of  materials,  compiled  from  the  world's  literature  and  critically  evaluated.  Developed  under  a 
worldwide  program  coordinated  by  NIST  under  the  authority  of  the  National  Standard  Data  Act  (Public 
Law  90-396).  NOTE:  The  Journal  of  Physical  and  Chemical  Reference  Data  (JPCRD)  is  published 
bimonthly  for  NIST  by  the  American  Institute  of  Physics  (AIP).  Subscription  orders  and  renewals  are 
available  from  AIP,  P.O.  Box  503284,  St.  Louis,  MO  63150-3284. 

Building  Science  Series — Disseminates  technical  information  developed  at  the  Institute  on  building 
materials,  components,  systems,  and  whole  structures.  The  series  presents  research  results,  test  methods,  and 
performance  criteria  related  to  the  structural  and  environmental  functions  and  the  durability  and  safety 
characteristics  of  building  elements  and  systems. 

Technical  Notes — Studies  or  reports  which  are  complete  in  themselves  but  restrictive  in  their  treatment  of 
a  subject.  Analogous  to  monographs  but  not  so  comprehensive  in  scope  or  definitive  in  treatment  of  the 
subject  area.  Often  serve  as  a  vehicle  for  final  reports  of  work  performed  at  NIST  under  the  sponsorship  of 
other  government  agencies. 

Voluntary  Product  Standards — Developed  under  procedures  published  by  the  Department  of  Commerce 
in  Part  10,  Title  15,  of  the  Code  of  Federal  Regulations.  The  standards  establish  nationally  recognized 
requirements  for  products,  and  provide  all  concerned  interests  with  a  basis  for  common  understanding  of 
the  characteristics  of  the  products.  NIST  administers  this  program  in  support  of  the  efforts  of  private-sector 
standardizing  organizations. 

Order  the  following  NIST  publications — FIPS  and  NISTIRs—from  the  National  Technical  Information 
Service,  Springfield,  VA  22161. 

Federal  Information  Processing  Standards  Publications  (FIPS  PUB) — Publications  in  this  series 
collectively  constitute  the  Federal  Information  Processing  Standards  Register.  The  Register  serves  as  the 
official  source  of  information  in  the  Federal  Government  regarding  standards  issued  by  NIST  pursuant  to 
the  Federal  Property  and  Administrative  Services  Act  of  1949  as  amended,  Public  Law  89-306  (79  Stat. 
1127),  and  as  implemented  by  Executive  Order  11717  (38  FR  12315,  dated  May  11,  1973)  and  Part  6  of 
Title  15  CFR  (Code  of  Federal  Regulations). 

NIST  Interagency  or  Internal  Reports  (NIST1K) — The  series  includes  interim  or  final  reports  on  work 
performed  by  NIST  for  outside  sponsors  (both  government  and  nongovernment).  In  general,  initial 
distribution  is  handled  by  the  sponsor;  public  distribution  is  handled  by  sales  through  the  National  Technical 
Information  Service,  Springfield,  VA  22161,  in  hard  copy,  electronic  media,  or  microfiche  form.  NISTIR's 
may  also  report  results  of  NIST  projects  of  transitory  or  limited  interest,  including  those  that  will  be 
published  subsequently  in  more  comprehensive  form. 
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